Topic: acts_as_authenticated secuirty question
I'm using the RESTful acts_as_authenticated and have a question about attr_accessible.
Any fields you want to be changeable by the user you add to attr_accessible such as first_name, last_name etc. I also have a boolean called is_admin which is false by default.
At the moment if a user is an admin and they create a new user they get shown a checkbox for the is_admin field. The is_admin boolean never gets set (of course) unless I put it in the attr_accessible list. Is this safe?
I am assuming not because any user could create a custom request which would make them an admin?
The one solution I can think of at the moment is to protect is_admin in the controller by always setting params[:user][:is_admin] to false unless the current user is an admin themself.
@user = User.find(params[:id])
@user = User.find(current_user.id)
params[:user][:is_admin] = false # protection here
flash[:notice] = "Your changes have been saved."
flash[:notice] = "Your changes have not been saved."
render :action => "edit"
There many be a better way to do this?
Many thanks, Cham.